[Semibug] Problem with mtree

Aaron Lopez vieroninfo at gmail.com
Thu Apr 27 17:59:33 EDT 2023


Hi Jonathan,

did you get this working in the end? It seems very interesting so it would
be nice to know if you did progress with mtree. I would like to try it out
sooner or later. I originally read about it at
https://docs.freebsd.org/en/books/handbook/security/#security-ids but never
got to try it out. I just happened to come across this other link as well:
https://calomel.org/ids_mtree.html in which the author wrote a small shell
script to implement a small IDS with mtree.

Aaron

On Mon, Apr 24, 2023 at 4:51 PM Jonathan Drews <jondrews at fastmail.com>
wrote:

> Hi Aaron:
>
>  That is a typing mistake. I did use mtree -cK sha256digest  > in both
> root and a normal user.
>
> On Mon, Apr 24, 2023, at 07:27, Aaron Lopez wrote:
> > Hi Jonathan,
> >
> > I noticed that for /root you used a small "k" meanwhile as a normal user
> you used a capital "K". Could that be the issue?
> >
> > Kind regards,
> > Aaron
> >
> > On Mon, Apr 24, 2023 at 10:47 AM Jonathan Drews <jondrews at fastmail.com>
> wrote:
> >> My computer system:
> >> $ uname -mprsv
> >> OpenBSD 7.3 GENERIC.MP#1125 <http://generic.mp/#1125> amd64 amd64
> >>
> >> I have a problem with running mtree as root. I want to make a base file
> >> for / and all it's subdirectories using the command:
> >>
> >> # mtree -ck sha256digest > /root/root24Apr2023.mtree
> >>
> >> but I get the following error message:
> >>
> >> unknown keyword: sha256digest.
> >>
> >> however if I run it as an ordinary user it works fine:
> >>
> >> $ mtree -cK sha256digest  > homeCleetus3.mtree
> >>
> >> look :
> >> $ cat homeCleetus3.mtree | head
> >>
> >> #          user: cleetus
> >> #       machine: Leo.my.domain
> >> #          tree: /home/cleetus
> >> #          date: Mon Apr 24 01:07:21 2023
> >>
> >> # .
> >> /set type=file uid=1000 gid=1000 mode=0640 nlink=1
> >> .               type=dir mode=0755 nlink=58 time=1682319490.964620832
> >>     .Xauthority mode=0600 size=450 time=1682149878.454612237 \
> >>
> >>
> sha256digest=4372c73e50cf1cc00822db9db1631e4f7ad7f71d9724633ab740b5fcfbb19a71
> >>
> >> if I run mtree wlike so:
> >> # cd /
> >> # mtree -c /root/root24Apr2023.mtree
> >>
> >> it records the files and directories.
> >>
> >> What am I doing wrong here? I am creating a base file of directories
> >> in case of intrusion. If I suspect an intrusion, then I would cd  to
> >> root (/) and run:
> >>
> >> mtree -f root24Apr2023.mtree > diffRoot.mtree
> >>
> >> and look for any changed files.
> >>
> >> FYI I used this tutorial on mtree:
> >> https://forums.freebsd.org/threads/small-guide-on-using-mtree.61113/
> >>
> >>
> >> --
> >> Kind regards,
> >> Jonathan
> >>
> >> _______________________________________________
> >> Semibug mailing list
> >> Semibug at lists.nycbug.org
> >> https://lists.nycbug.org:8443/mailman/listinfo/semibug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/semibug/attachments/20230427/ad4c82b2/attachment.htm>


More information about the Semibug mailing list